Bug 559579 (CVE-2010-0296)

Summary: CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fweimer, jakub, jlayton, law, meyering, rcvalle, security-response-team, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-13 20:52:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 599045, 688214, 688215, 767685, 769360    
Bug Blocks: 767564    

Description Jan Lieskovsky 2010-01-28 14:35:30 UTC
It was found that glibc's utility, responsible for editing
of system's mtab table, improperly sanitized user supplied
mount point names containing certain special character. Local
attacker could use this flaw to add arbitrary mount points
(corrupt system's "/etc/mtab" file) or, potentially, set
unauthorized mount options. Other attacks are also possible.

Issue severity note:
The /etc/mtab file handles mounted devices and is automatically
updated by the mount command (more precisely by the dedicated
"mount" tool for relevant filesystem). Unprivileged user to
be able to run such a tool (and modify content of /etc/mtab),
this tool needs to be suid root enabled. The dedicated "mount"
tools, as shipped with Red Hat Enterprise Linux (mount.cifs,
mount.fuse, fusermount, mount.nfs, mount.nfs4) does NOT allow
unprivileged user to use them (without prior grant of additional
privileges from the privileged user) for editing of system's
/etc/mtab file, which mitigates impact of this flaw.

Comment 10 Jan Lieskovsky 2010-06-02 14:48:16 UTC
Public via:
  [1] http://www.ubuntu.com/usn/usn-944-1

Comment 11 Jan Lieskovsky 2010-06-02 14:52:43 UTC
CVE-2010-0296 description from Mitre:

The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
mount.cifs, does not properly handle newline characters in mountpoint
names, which allows local users to cause a denial of service (mtab
corruption), or possibly modify mount options and gain privileges, via
a crafted mount request.

  [1] http://frugalware.org/security/662
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540
  [3] http://www.ubuntu.com/usn/USN-944-1
  [4] http://securitytracker.com/id?1024043
  [5] http://secunia.com/advisories/39900
  [6] http://www.vupen.com/english/advisories/2010/1246

Comment 16 errata-xmlrpc 2011-04-04 20:06:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html

Comment 19 errata-xmlrpc 2012-02-13 20:35:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html